2-4 Oracle Fusion Middleware Oracle WebLogic Scripting Tool private static void createServers { StringBuffer buf = new StringBuffer; buf.appendstartTransaction; buf.appendman1=createmsEmbedded1,Server\n; buf.appendman2=createmsEmbedded2,Server\n; buf.appendclus=createclusterEmbedded,Cluster\n; buf.appendman1.setListenPort8001\n; buf.appendman2.setListenPort9001\n; buf.appendman1.setClusterclus\n; buf.appendman2.setClusterclus\n; buf.appendendTransaction; buf.appendprint Script ran successfully ... \n; interpreter.execbuf.toString; } private static String startTransaction { StringBuffer buf = new StringBuffer; buf.appendedit\n; buf.appendstartEdit\n; return buf.toString; } private static String endTransaction { StringBuffer buf = new StringBuffer; buf.appendsave\n; buf.appendactivateblock=true\n; return buf.toString; } public static void mainString[] args { new EmbeddedWLST; connect; createServers; } }

2.3 Security for WLST

WLST uses the WebLogic Security Framework to prevent unauthorized users from modifying a WebLogic domain or from viewing encrypted data. The following sections describe the actions you must take to satisfy WLST security requirements: ■ Section 2.3.1, Securing the WLST Connection ■ Section 2.3.2, Securing Access to Configuration Data ■ Section 2.3.3, Securing Access to Security Data

2.3.1 Securing the WLST Connection

If you use WLST to connect to a WebLogic Server instance, Oracle recommends that you connect to the server instance through the administration port. The administration port is a special, secure port that all WebLogic Server instances in a WebLogic domain can use for administration traffic. By default, this port is not enabled, but Oracle recommends that you enable the administration port in a production environment. The default value for the administration port is 9002. Separating administration traffic from application traffic ensures that critical administration operations starting and stopping servers, Using the WebLogic Scripting Tool 2-5 changing a servers configuration, and deploying applications do not compete with high-volume application traffic on the same network connection. The administration port requires all communication to be secured using SSL. By default, all servers in a WebLogic domain use demonstration certificate files for SSL, but these certificates are not appropriate for a production environment. For information about configuring the administration port, see Administration Port and Administrative Channel in Configuring Server Environments for Oracle WebLogic Server.

2.3.2 Securing Access to Configuration Data

A WebLogic domain stores its configuration data in a collection of XML documents that are saved in the domain directory. For example, these configuration documents describe the names, listen addresses, and deployed resources in the domain. When one or more servers in a WebLogic domain are running, each server instance maintains an in-memory representation of the configuration data as a collection of Managed Beans MBeans. You must use your own security measures to make sure that only authorized users can access your domains configuration files through the file system. Anyone who is authorized to access the domains configuration files through the file system can use a text editor, WLST offline, or other tools to edit the configuration files.

2.3.2.1 Securing Access from WLST Online

If you use WLST to connect to a running instance of WebLogic Server, you must provide the credentials user name and password of a user who has been defined in the active WebLogic security realm. Once you are connected, a collection of security policies determine which configuration attributes you are permitted to view or modify. See Default Security Policies for MBeans in the Oracle WebLogic Server MBean Reference. When you invoke the WLST connect command, you can supply user credentials by doing any of the following: ■ Enter the credentials on the command line. This option is recommended only if you are using WLST in interactive mode. For example: connectweblogic, welcome1, localhost:7001 For more information, see connect in WebLogic Scripting Tool Command Reference. ■ Enter the credentials on the command line, then use the storeUserConfig command to create a user configuration file that contains your credentials in an encrypted form and a key file that WebLogic Server uses to unencrypt the credentials. On subsequent WLST sessions or in WLST scripts, supply the name of the file instead of entering the credentials on the command line. This option is recommended if you use WLST in script mode because it prevents you from storing unencrypted user credentials in your scripts. For example, to create the user configuration file and key file: connectweblogic, welcome1, localhost:7001 storeUserConfigc:myFilesmyuserconfigfile.secure, c:myFilesmyuserkeyfile.secure To use the user configuration file and key file: 2-6 Oracle Fusion Middleware Oracle WebLogic Scripting Tool connectuserConfigFile=c:myfilesmyuserconfigfile.secure, userKeyFile=c:myfilesmyuserkeyfile.secure For more information, see connect and storeUserConfig in WebLogic Scripting Tool Command Reference. ■ Invoke the connect command from a directory that contains the domains boot.properties file. By default, when you create an Administration Server, WebLogic Server encrypts the credentials and stores them in a boot.properties file. WLST can use this file only if you start WLST from the domain directory. For example, if you have not deleted the domains boot.properties file, you can start WLST and invoke the connect command as follows: c:\mydomain\ java weblogic.WLST wls:offline connect For more information, see connect in WebLogic Scripting Tool Command Reference.

2.3.2.2 Writing and Reading Encrypted Configuration Values

Some attributes of a WebLogic domains configuration are encrypted to prevent unauthorized access to sensitive data. For example, the password that a JDBC data source uses to connect to an RDBMS is encrypted. The attribute values are saved in the domains configuration document as an encrypted string. In a running server instance, the values are available as an MBean attribute in the form of an encrypted byte array. The names of encrypted attributes end with Encrypted. For example, the ServerMBean exposes the password that is used to secure access through the IIOP protocol in an attribute named DefaultIIOPPasswordEncrypted. Oracle recommends the following pattern for writing and reading encrypted attributes: With WLST offline: ■ To write an encrypted value, pass the name of the encrypted attribute and an unencrypted string to the set command. For example: setDefaultIIOPPasswordEncrypted, mypassword WLST encrypts the string and writes the encrypted value to the domains configuration file. For more information, see set in WebLogic Scripting Tool Command Reference. ■ WLST offline does not display the unencrypted value of an encrypted attribute. If you use the ls command to display management attributes, WLST offline returns asterisks as the value of encrypted attributes. If you use the get command, WLST offline returns a byte array that represents asterisks. For example: wls:offlinewl_serverServerexamplesServerls returns ... -rw- DefaultIIOPPasswordEncrypted ... While Using the WebLogic Scripting Tool 2-7 wls:offlinewl_ serverServerexamplesServergetDefaultIIOPPasswordEncrypted returns array[42, 42, 42, 42, 42, 42, 42, 42], byte For more information, see ls and get in WebLogic Scripting Tool Command Reference. With WLST online, for each encrypted attribute, an MBean also contains an unencrypted version. For example, ServerMBean contains an attribute named DefaultIIOPPasswordEncrypted which contains the encrypted value and an attribute named DefaultIIOPPassword, which contains the unencrypted version of the value. To write and read encrypted values with WLST online: ■ To write an encrypted value, start an edit session. Then do either of the following: – Pass the name of the unencrypted attribute and an unencrypted string to the set command. For example: setDefaultIIOPPassword, mypassword – Pass the name of the encrypted attribute and an encrypted byte array to the set command. You can use the encrypt command to create the encrypted byte array see encrypt in WebLogic Scripting Tool Command Reference. For example: setDefaultIIOPPasswordEncrypted, encryptmypassword When you activate the edit, WebLogic Server writes the encrypted value to the domains configuration file. ■ To read the encrypted value of the attribute, pass the name of the encrypted attribute to the get command. For example: getDefaultIIOPPasswordEncrypted returns array[105, 114, 111, 110, 115, 116, 101, 101, 108], byte ■ To read the unencrypted value of the attribute, pass the name of the unencrypted attribute to the get command. For example: getDefaultIIOPPassword returns mypassword

2.3.3 Securing Access to Security Data

The user names and passwords of WebLogic Server users, security groups, and security roles are not stored in a WebLogic domains XML configuration documents. Instead, a WebLogic domain uses a separate software component called an Authentication provider to store, transport, and provide access to security data. Note: Do not pass an unencrypted string to the encrypted attribute. The encrypted attribute assumes that the value you pass to it is already encrypted. 2-8 Oracle Fusion Middleware Oracle WebLogic Scripting Tool Authentication providers can use different types of systems to store security data. The Authentication provider that WebLogic Server installs uses an embedded LDAP server. When you use WLST offline to create a domain template, WLST packages the Authentication providers data store along with the rest of the domain documents. If you create a domain from the domain template, the new domain has an exact copy of the Authentication providers data store from the domain template. You cannot use WLST offline to modify the data in an Authentication providers data store. You can, however, use WLST online to interact with an Authentication provider and add, remove, or modify users, groups, and roles. For more information, see Section 6.3, Managing Security Data WLST Online .

2.4 Main Steps for Using WLST in Interactive or Script Mode

The following sections summarize the steps for setting up and using WLST: ■ Section 2.4.1, Invoking WLST ■ Section 2.4.2, Exiting WLST ■ Section 2.4.3, Syntax for WLST Commands

2.4.1 Invoking WLST

You can invoke WLST in the following ways: ■ Execute the appropriate shell script for your environment. ■ Execute the java weblogic.WLST command. ■ Run a WLST script. ■ Execute the WebLogic Scripting Tool command from the Start menu Windows only. See also Section 2.7, Running WLST from Ant.

2.4.1.1 Invoking WLST Using Provided Shell Scripts

To invoke WLST using a shell script, execute the commands that are appropriate for your environment. Environment variables are automatically set when you invoke WLST this way. Note: If you notice that it takes a long time to create or update a domain using WLST on a UNIX or Linux operating system, set the CONFIG_JVM_ARGS environment variable to the following value to resolve this issue: -Djava.security.egd=file:dev.urandom